Analysis Overview
Threat Level: Likely malicious
The file https://github.com/JackDoesMalwares/Gocullinator was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Disables Task Manager via registry modification
Downloads MZ/PE file
Disables RegEdit via registry modification
Modifies file permissions
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Power Settings
Enumerates processes with tasklist
Subvert Trust Controls: Mark-of-the-Web Bypass
Launches sc.exe
Event Triggered Execution: Accessibility Features
Access Token Manipulation: Create Process with Token
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Delays execution with timeout.exe
Gathers network information
NTFS ADS
Runs ping.exe
Runs net.exe
Gathers system information
Runs regedit.exe
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 15:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 15:25
Reported
2024-10-03 15:28
Platform
win7-20240903-en
Max time kernel
166s
Max time network
162s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/JackDoesMalwares/Gocullinator"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/JackDoesMalwares/Gocullinator
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.0.1034615697\453941653" -parentBuildID 20221007134813 -prefsHandle 1264 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02517c96-9d21-4232-9572-1c8a3e932c9d} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 1388 10df1958 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.1.1266703297\1404935228" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c849fbc8-a6e0-4cb9-975f-4d8153481169} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 1556 f70e58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.2.1473720956\328632323" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f886b97b-713b-4dfc-9177-45859a76e875} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 2072 19096558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.3.420888998\1911356028" -childID 2 -isForBrowser -prefsHandle 2760 -prefMapHandle 2756 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e62a3277-5b6e-41e6-83d6-59d5130dd75b} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 2772 14fa3f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.4.53340760\72235287" -childID 3 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd3639d-ad7a-498d-82c0-8ad25f87a6a6} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 3960 216f0358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.5.833979994\1769965580" -childID 4 -isForBrowser -prefsHandle 4060 -prefMapHandle 4064 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1a0e1ff-afef-4786-84db-91d0a7587dd5} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 4048 21960d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1720.6.1070054537\1888999325" -childID 5 -isForBrowser -prefsHandle 4236 -prefMapHandle 4240 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4471606-40f8-4f33-a5bc-dd68d5caf268} 1720 "\\.\pipe\gecko-crash-server-pipe.1720" 4224 21962258 tab
C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe
"C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| N/A | 127.0.0.1:49199 | tcp | |
| N/A | 127.0.0.1:49207 | tcp | |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.21:443 | glb-db52c2cf8be544.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| DE | 23.55.161.185:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigl6nsd.gvt1.com | udp |
| GB | 74.125.105.41:443 | r4---sn-aigl6nsd.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigl6nsd.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigl6nsd.gvt1.com | udp |
| GB | 74.125.105.41:443 | r4.sn-aigl6nsd.gvt1.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 3fff00c0617a7331a6a58a33b8474a91 |
| SHA1 | 5915511995f31c1baf16e6e19575800b0242d42a |
| SHA256 | 6ba5399e82344ad9903977a38a2815543378300ada54c65657927ee1bf267ec6 |
| SHA512 | d22d65e7f3a5ab74fcfccfb486b5f5fa129f2ec77cae60a81397b1834ae7eab3041f5707376cd5cfce7e3a176e893ab66c9dc6dadb3e75ce68b591c45e6824e8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\759b2cf7-c048-493f-9b37-8d99d2e9f050
| MD5 | a259d73664a44030fac7ef819666951f |
| SHA1 | dcc801660d4da5a327d87782acf4ba98cdf8545f |
| SHA256 | 4b7cdca502f3aaaebfac8a3ecee28df4e9ff315d9f6c1d0da98db7ec65cd5b58 |
| SHA512 | 2a030fa1886aef307b8023b13e4c06e016c4b26bc7c45a8ca36be244050f4fd6da4b2e5d5d98ac319ff29da58468301f5f7f393ceb428666fbc71c62814bac64 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\4e615eb9-9854-4325-9ba0-8b8ac5062fd4
| MD5 | d1f0ff3e55e0ff723298b9b723036643 |
| SHA1 | 5f78678b3a802ae5171737d23bb8c4b4cd86526a |
| SHA256 | 4313396b8c75de4e14551e7bc7b11c638b67726df610f668cd3d4218bbcc33b5 |
| SHA512 | 866578cee50c2d61f6efcc3114bd10a1c89a9d2c1925f7e55e4e90e979b54e85a5635112090fc8c97e8c9976ac1f65b752dc2b9676211ed302f3be96b0136a77 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | c241be5d8627926ad2ff5f0517251b40 |
| SHA1 | b2cc4b844967d2260542966daa2f7498a04140c0 |
| SHA256 | 1ae8e5e30570e45a18a86af752244a959a4fbdf2d56106c419d2761386ea0c2d |
| SHA512 | caeffc44074ca1173021f4f21030b43ca22431648d6d29358261c5f4239932bf56fd734bc941fae9b81013ad55d1859a876882334a924185f8fba07bd03c35d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs.js
| MD5 | 345dedd4cbe6c4ca4c4212e77279f5b4 |
| SHA1 | 8fe95d7fccb32e01f2d07095efc83199df8d6bd5 |
| SHA256 | bd0f88a85f676b7c5f323d116fbe4542db3faa629f7e925cdd6f07b55d44e47c |
| SHA512 | 937d280563617202dc5070cdd480fc54860622ec0efee7d1cacab42f0fd4e4ef4a6e0edc544fa65fd0c55b01b48d38ab2b36a6fd3f5e880402fc36f86b9c6d09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs.js
| MD5 | e92a2a01741b0cfb84d219884389ac73 |
| SHA1 | 4aa48331d2fa6cd16362c8d4128d8e7b806a4dfa |
| SHA256 | d0511c3539a92e2892daa499d02613e8ef114ff4a0f6d9904456a28e9c35b886 |
| SHA512 | c08cf2003059c6ca0084909caeeeccad2a7e8a5eba3a605c50d4eec807e3c66ffee02891f817076e80d95d92f21c68cdfedd2eadba100779c9739fd8218f9234 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | df659f1015e547460fa6ff1401ea3e82 |
| SHA1 | 8170ef4206a5476f48e3f92e1b16afe7c0d99bc5 |
| SHA256 | 8049b14fbbf355a0500e4b71366347c1da03f9bf25994c2aa0d9336ea9cbd4ad |
| SHA512 | 6d1f85416a2aa3f9785f34063c18bcaaa15faea1a66fcf48452aab69620684a10ce60649a858bf98bb9f60a8c701d1a53e570a3ab27cb6484271f0d70013983c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d8513ef23fff8121b03cfadd510765bd |
| SHA1 | 359410ebcb215b0b3507e2a494c09589307b780d |
| SHA256 | fe59441a6d6630db65ab4d4ff463c48e52f6d3e7f4611dd23966c1ce3a3215db |
| SHA512 | 14b7117f1f81cd174b24a40023c8ff71ae409578a24a841378a66634d4c30b0706f9b240e2037826ca0a5b827c4155bfe6f489cb17bc8da772614440fddd6c95 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js
| MD5 | 3605385899c7ee3a2a078f7907cd3bb5 |
| SHA1 | 7121bd76659b7202cc67c26ad73c6f619a3009d9 |
| SHA256 | 8fa23562d6b3c0952969d52e116574b68c3a1c637103a89368533826c62d4a92 |
| SHA512 | d580c9a14cbd67e722a436ab6dab953a10beb1cff2e3ba263b6b3efe60c14e93a2a92c2d244bab29a68688895bba8c0127d2c50ffcc9ab8b93fd9fb74eba1664 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\Downloads\RBXMCPQKVAOE.exe
| MD5 | 37b2ae3d81f0090ffd447506ce737cfe |
| SHA1 | 59d4ece8c1b01bca1606283a53666a71092ae9e9 |
| SHA256 | b66ffd832f2b39df63a44427e56dab12b2d3bceb8c109b58b7a297bb943c28a0 |
| SHA512 | 54574e4f15c94eaeecde086740e9117252f119ffde3be556b220e06e73c41ea11b4682921b44d79b76a60f610802f1feae054c322bbfdad4551e1edf355e79ec |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 15:25
Reported
2024-10-03 15:34
Platform
win11-20240802-en
Max time kernel
519s
Max time network
522s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\Holzer.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Holzer.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Downloads\Holzer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Holzer.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\runas.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\ctfmon.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\OneDriveSetup.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\OneDriveSetup.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Windows.WARP.JITService.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ARP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bthudtask.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\CameraSettingsUIHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\CertEnrollCtrl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Holzer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\at.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\backgroundTaskHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\BackgroundTransferHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\AtBroker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\auditpol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\calc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PATHPING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RpcPing.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TRACERT.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{AA1574B9-725A-4BA9-8892-1882E789B9B9} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings | C:\Windows\SysWOW64\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \Registry\User\S-1-5-21-970747758-134341002-3585657277-1000_Classes\NotificationData | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Windows\SysWOW64\certreq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" | C:\Windows\SysWOW64\certreq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\SysWOW64\certreq.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Holzer.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Holzer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\Downloads\Holzer.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\Downloads\Holzer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\auditpol.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\Downloads\Holzer.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\Downloads\Holzer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\certreq.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/JackDoesMalwares/Gocullinator"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/JackDoesMalwares/Gocullinator
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4f901b4-8da8-4b67-a8c3-e817742b9d9c} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89f308c0-582c-424b-93b9-9f919efb790c} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3360 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3228 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8e08d65-83c9-48f0-a3ac-29a81ac67129} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18617fd-ec78-4a79-8e0b-ad1b04aed10e} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4704 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84b89f38-1935-469b-9091-c4a700261a74} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5356 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab03baea-a622-423d-9fcf-b0812ed55fa6} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f96803fc-7380-4b51-905f-eeb1d312d610} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5856 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cbd94b5-0374-4b8e-9b3e-6177ac9e3789} 3760 "\\.\pipe\gecko-crash-server-pipe.3760" tab
C:\Users\Admin\Downloads\Holzer.exe
"C:\Users\Admin\Downloads\Holzer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
C:\Windows\SysWOW64\agentactivationruntimestarter.exe
"C:\Windows\System32\agentactivationruntimestarter.exe"
C:\Windows\SysWOW64\appidtel.exe
"C:\Windows\System32\appidtel.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
C:\Windows\SysWOW64\ARP.EXE
"C:\Windows\System32\ARP.EXE"
C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
C:\Windows\SysWOW64\AtBroker.exe
"C:\Windows\System32\AtBroker.exe"
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe"
C:\Windows\SysWOW64\auditpol.exe
"C:\Windows\System32\auditpol.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\System32\autochk.exe"
C:\Windows\SysWOW64\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
C:\Windows\SysWOW64\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe"
C:\Windows\SysWOW64\bthudtask.exe
"C:\Windows\System32\bthudtask.exe"
C:\Windows\SysWOW64\ByteCodeGenerator.exe
"C:\Windows\System32\ByteCodeGenerator.exe"
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe"
C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\CameraSettingsUIHost.exe
"C:\Windows\System32\CameraSettingsUIHost.exe"
C:\Windows\SysWOW64\CertEnrollCtrl.exe
"C:\Windows\System32\CertEnrollCtrl.exe"
C:\Windows\SysWOW64\certreq.exe
"C:\Windows\System32\certreq.exe"
C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe"
C:\Windows\SysWOW64\charmap.exe
"C:\Windows\System32\charmap.exe"
C:\Windows\SysWOW64\CheckNetIsolation.exe
"C:\Windows\System32\CheckNetIsolation.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\System32\chkdsk.exe"
C:\Windows\SysWOW64\chkntfs.exe
"C:\Windows\System32\chkntfs.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\choice.exe
"C:\Windows\System32\choice.exe"
C:\Windows\SysWOW64\cipher.exe
"C:\Windows\System32\cipher.exe"
C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
C:\Windows\SysWOW64\cliconfg.exe
"C:\Windows\System32\cliconfg.exe"
C:\Windows\SysWOW64\clip.exe
"C:\Windows\System32\clip.exe"
C:\Windows\SysWOW64\CloudNotifications.exe
"C:\Windows\System32\CloudNotifications.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\cmdkey.exe
"C:\Windows\System32\cmdkey.exe"
C:\Windows\SysWOW64\cmdl32.exe
"C:\Windows\System32\cmdl32.exe"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\System32\cmmon32.exe"
C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\System32\cmstp.exe"
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\System32\colorcpl.exe"
C:\Windows\SysWOW64\comp.exe
"C:\Windows\System32\comp.exe"
C:\Windows\SysWOW64\compact.exe
"C:\Windows\System32\compact.exe"
C:\Windows\SysWOW64\ComputerDefaults.exe
"C:\Windows\System32\ComputerDefaults.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
C:\Windows\SysWOW64\convert.exe
"C:\Windows\System32\convert.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\SysWOW64\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe"
C:\Windows\SysWOW64\credwiz.exe
"C:\Windows\System32\credwiz.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\ctfmon.exe
"C:\Windows\System32\ctfmon.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 6100 -ip 6100
C:\Windows\SysWOW64\cttune.exe
"C:\Windows\System32\cttune.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 752
C:\Windows\SysWOW64\cttunesvr.exe
"C:\Windows\System32\cttunesvr.exe"
C:\Windows\SysWOW64\curl.exe
"C:\Windows\System32\curl.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\SysWOW64\dccw.exe
"C:\Windows\System32\dccw.exe"
C:\Windows\SysWOW64\dcomcnfg.exe
"C:\Windows\System32\dcomcnfg.exe"
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
C:\Windows\SysWOW64\ddodiag.exe
"C:\Windows\System32\ddodiag.exe"
C:\Windows\SysWOW64\DevicePairingWizard.exe
"C:\Windows\System32\DevicePairingWizard.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\SysWOW64\dfrgui.exe
"C:\Windows\System32\dfrgui.exe"
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\system32\dashost.exe
dashost.exe {8f2c8669-9cc5-4f33-9d99fbe439020899}
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\System32\dialer.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\dashost.exe
dashost.exe {9a67948a-716e-46d4-bbf330c1b70c9faa}
C:\Windows\SysWOW64\diskpart.exe
"C:\Windows\System32\diskpart.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\System32\diskperf.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\system32\dashost.exe
dashost.exe {1b3af844-aeff-48a8-927c08dace1d9ffd}
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\diskusage.exe
"C:\Windows\System32\diskusage.exe"
C:\Windows\SysWOW64\Dism.exe
"C:\Windows\System32\Dism.exe"
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
C:\Windows\SysWOW64\dllhst3g.exe
"C:\Windows\System32\dllhst3g.exe"
C:\Windows\SysWOW64\doskey.exe
"C:\Windows\System32\doskey.exe"
C:\Windows\SysWOW64\dpapimig.exe
"C:\Windows\System32\dpapimig.exe"
C:\Windows\SysWOW64\DpiScaling.exe
"C:\Windows\System32\DpiScaling.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ms-settings:display
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\SysWOW64\driverquery.exe
"C:\Windows\System32\driverquery.exe"
C:\Windows\SysWOW64\dtdump.exe
"C:\Windows\System32\dtdump.exe"
C:\Windows\SysWOW64\dvdplay.exe
"C:\Windows\System32\dvdplay.exe"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
/device:dvd
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\SysWOW64\DWWIN.EXE
"C:\Windows\System32\DWWIN.EXE"
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe"
C:\Windows\SysWOW64\EaseOfAccessDialog.exe
"C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\edpnotify.exe
"C:\Windows\System32\edpnotify.exe"
C:\Windows\SysWOW64\efsui.exe
"C:\Windows\System32\efsui.exe"
C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
C:\Windows\SysWOW64\esentutl.exe
"C:\Windows\System32\esentutl.exe"
C:\Windows\SysWOW64\eudcedit.exe
"C:\Windows\System32\eudcedit.exe"
C:\Windows\SysWOW64\eventcreate.exe
"C:\Windows\System32\eventcreate.exe"
C:\Windows\SysWOW64\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
C:\Windows\system32\mmc.exe
"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\System32\extrac32.exe"
C:\Windows\SysWOW64\fc.exe
"C:\Windows\System32\fc.exe"
C:\Windows\SysWOW64\find.exe
"C:\Windows\System32\find.exe"
C:\Windows\SysWOW64\findstr.exe
"C:\Windows\System32\findstr.exe"
C:\Windows\SysWOW64\finger.exe
"C:\Windows\System32\finger.exe"
C:\Windows\SysWOW64\fixmapi.exe
"C:\Windows\System32\fixmapi.exe"
C:\Windows\SysWOW64\fltMC.exe
"C:\Windows\System32\fltMC.exe"
C:\Windows\SysWOW64\Fondue.exe
"C:\Windows\System32\Fondue.exe"
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\System32\fontview.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe"
C:\Windows\SysWOW64\cmd.exe
/c echo "ApproveDeny.doc"
C:\Windows\SysWOW64\fsquirt.exe
"C:\Windows\System32\fsquirt.exe"
C:\Windows\SysWOW64\fsutil.exe
"C:\Windows\System32\fsutil.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb77d33cb8,0x7ffb77d33cc8,0x7ffb77d33cd8
C:\Windows\SysWOW64\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3968 /prefetch:8
C:\Windows\SysWOW64\GamePanel.exe
"C:\Windows\System32\GamePanel.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\getmac.exe
"C:\Windows\System32\getmac.exe"
C:\Windows\SysWOW64\gpresult.exe
"C:\Windows\System32\gpresult.exe"
C:\Windows\SysWOW64\gpscript.exe
"C:\Windows\System32\gpscript.exe"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe"
C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe"
C:\Windows\SysWOW64\hdwwiz.exe
"C:\Windows\System32\hdwwiz.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\System32\help.exe"
C:\Windows\SysWOW64\hh.exe
"C:\Windows\System32\hh.exe"
C:\Windows\SysWOW64\HOSTNAME.EXE
"C:\Windows\System32\HOSTNAME.EXE"
C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe"
C:\Windows\SysWOW64\icsunattend.exe
"C:\Windows\System32\icsunattend.exe"
C:\Windows\SysWOW64\ieUnatt.exe
"C:\Windows\System32\ieUnatt.exe"
C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\System32\iexpress.exe"
C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe"
C:\Windows\SysWOW64\InputSwitchToastHandler.exe
"C:\Windows\System32\InputSwitchToastHandler.exe"
C:\Windows\SysWOW64\instnm.exe
"C:\Windows\System32\instnm.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe"
C:\Windows\SysWOW64\iscsicli.exe
"C:\Windows\System32\iscsicli.exe"
C:\Windows\SysWOW64\iscsicpl.exe
"C:\Windows\System32\iscsicpl.exe"
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
C:\Windows\SysWOW64\isoburn.exe
"C:\Windows\System32\isoburn.exe"
C:\Windows\SysWOW64\ktmutil.exe
"C:\Windows\System32\ktmutil.exe"
C:\Windows\SysWOW64\label.exe
"C:\Windows\System32\label.exe"
C:\Windows\SysWOW64\LaunchTM.exe
"C:\Windows\System32\LaunchTM.exe"
C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\System32\LaunchWinApp.exe"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\System32\lodctr.exe"
C:\Windows\SysWOW64\logagent.exe
"C:\Windows\System32\logagent.exe"
C:\Windows\SysWOW64\logman.exe
"C:\Windows\System32\logman.exe"
C:\Windows\SysWOW64\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\SysWOW64\makecab.exe
"C:\Windows\System32\makecab.exe"
C:\Windows\SysWOW64\mavinject.exe
"C:\Windows\System32\mavinject.exe"
C:\Windows\SysWOW64\mcbuilder.exe
"C:\Windows\System32\mcbuilder.exe"
C:\Windows\SysWOW64\mfpmp.exe
"C:\Windows\System32\mfpmp.exe"
C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
C:\Windows\SysWOW64\mmgaserver.exe
"C:\Windows\System32\mmgaserver.exe"
C:\Windows\SysWOW64\mobsync.exe
"C:\Windows\System32\mobsync.exe"
C:\Windows\SysWOW64\mountvol.exe
"C:\Windows\System32\mountvol.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\MRINFO.EXE
"C:\Windows\System32\MRINFO.EXE"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\System32\msdt.exe"
C:\Windows\SysWOW64\msfeedssync.exe
"C:\Windows\System32\msfeedssync.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe"
C:\Windows\SysWOW64\msinfo32.exe
"C:\Windows\System32\msinfo32.exe"
C:\Windows\SysWOW64\msra.exe
"C:\Windows\System32\msra.exe"
C:\Windows\system32\msra.exe
"C:\Windows\system32\msra.exe"
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\System32\mstsc.exe"
C:\Windows\system32\mstsc.exe
"C:\Windows\System32\mstsc.exe"
C:\Windows\SysWOW64\mtstocom.exe
"C:\Windows\System32\mtstocom.exe"
C:\Windows\SysWOW64\MuiUnattend.exe
"C:\Windows\System32\MuiUnattend.exe"
C:\Windows\SysWOW64\ndadmin.exe
"C:\Windows\System32\ndadmin.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1
C:\Windows\SysWOW64\net1.exe
"C:\Windows\System32\net1.exe"
C:\Windows\SysWOW64\netbtugc.exe
"C:\Windows\System32\netbtugc.exe"
C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
"C:\Windows\System32\NetCfgNotifyObjectHost.exe"
C:\Windows\SysWOW64\netiougc.exe
"C:\Windows\System32\netiougc.exe"
C:\Windows\SysWOW64\Netplwiz.exe
"C:\Windows\System32\Netplwiz.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\System32\NETSTAT.EXE"
C:\Windows\SysWOW64\newdev.exe
"C:\Windows\System32\newdev.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\System32\nslookup.exe"
C:\Windows\SysWOW64\ntprint.exe
"C:\Windows\System32\ntprint.exe"
C:\Windows\SysWOW64\odbcad32.exe
"C:\Windows\System32\odbcad32.exe"
C:\Windows\SysWOW64\odbcconf.exe
"C:\Windows\System32\odbcconf.exe"
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\System32\OneDriveSetup.exe"
C:\Windows\SysWOW64\openfiles.exe
"C:\Windows\System32\openfiles.exe"
C:\Windows\SysWOW64\OpenWith.exe
"C:\Windows\System32\OpenWith.exe"
C:\Windows\SysWOW64\OposHost.exe
"C:\Windows\System32\OposHost.exe"
C:\Windows\SysWOW64\PackagedCWALauncher.exe
"C:\Windows\System32\PackagedCWALauncher.exe"
C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
"C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
C:\Windows\SysWOW64\PATHPING.EXE
"C:\Windows\System32\PATHPING.EXE"
C:\Windows\SysWOW64\pcaui.exe
"C:\Windows\System32\pcaui.exe"
C:\Windows\SysWOW64\perfhost.exe
"C:\Windows\System32\perfhost.exe"
C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe"
C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
C:\Windows\SysWOW64\PickerHost.exe
"C:\Windows\System32\PickerHost.exe"
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE"
C:\Windows\SysWOW64\PkgMgr.exe
"C:\Windows\System32\PkgMgr.exe"
C:\Windows\SysWOW64\poqexec.exe
"C:\Windows\System32\poqexec.exe"
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe"
C:\Windows\SysWOW64\PresentationHost.exe
"C:\Windows\System32\PresentationHost.exe"
C:\Windows\SysWOW64\prevhost.exe
"C:\Windows\System32\prevhost.exe"
C:\Windows\SysWOW64\print.exe
"C:\Windows\System32\print.exe"
C:\Windows\SysWOW64\printui.exe
"C:\Windows\System32\printui.exe"
C:\Windows\SysWOW64\proquota.exe
"C:\Windows\System32\proquota.exe"
C:\Windows\SysWOW64\provlaunch.exe
"C:\Windows\System32\provlaunch.exe"
C:\Windows\SysWOW64\psr.exe
"C:\Windows\System32\psr.exe"
C:\Windows\system32\psr.exe
"C:\Windows\system32\psr.exe"
C:\Windows\SysWOW64\quickassist.exe
"C:\Windows\System32\quickassist.exe"
C:\Windows\SysWOW64\rasautou.exe
"C:\Windows\System32\rasautou.exe"
C:\Windows\SysWOW64\rasdial.exe
"C:\Windows\System32\rasdial.exe"
C:\Windows\SysWOW64\raserver.exe
"C:\Windows\System32\raserver.exe"
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-970747758-134341002-3585657277-1000
C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
C:\Windows\SysWOW64\rasphone.exe
"C:\Windows\System32\rasphone.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 10880 -ip 10880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 10872 -ip 10872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10880 -s 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10872 -s 1388
C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\System32\RdpSa.exe"
C:\Windows\SysWOW64\RdpSaProxy.exe
"C:\Windows\System32\RdpSaProxy.exe"
C:\Windows\SysWOW64\RdpSaUacHelper.exe
"C:\Windows\System32\RdpSaUacHelper.exe"
C:\Windows\SysWOW64\rdrleakdiag.exe
"C:\Windows\System32\rdrleakdiag.exe"
C:\Windows\SysWOW64\ReAgentc.exe
"C:\Windows\System32\ReAgentc.exe"
C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\system32\RdpSa.exe"
C:\Windows\SysWOW64\recover.exe
"C:\Windows\System32\recover.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
C:\Windows\SysWOW64\regedt32.exe
"C:\Windows\System32\regedt32.exe"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\SysWOW64\regini.exe
"C:\Windows\System32\regini.exe"
C:\Windows\SysWOW64\Register-CimProvider.exe
"C:\Windows\System32\Register-CimProvider.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe"
C:\Windows\SysWOW64\rekeywiz.exe
"C:\Windows\System32\rekeywiz.exe"
C:\Windows\SysWOW64\relog.exe
"C:\Windows\System32\relog.exe"
C:\Windows\SysWOW64\replace.exe
"C:\Windows\System32\replace.exe"
C:\Windows\SysWOW64\resmon.exe
"C:\Windows\System32\resmon.exe"
C:\Windows\SysWOW64\RMActivate.exe
"C:\Windows\System32\RMActivate.exe"
C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
C:\Windows\SysWOW64\RMActivate_isv.exe
"C:\Windows\System32\RMActivate_isv.exe"
C:\Windows\SysWOW64\RMActivate_ssp.exe
"C:\Windows\System32\RMActivate_ssp.exe"
C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
"C:\Windows\System32\RMActivate_ssp_isv.exe"
C:\Windows\system32\perfmon.exe
"C:\Windows\Sysnative\perfmon.exe" /res
C:\Windows\SysWOW64\RmClient.exe
"C:\Windows\System32\RmClient.exe"
C:\Windows\SysWOW64\Robocopy.exe
"C:\Windows\System32\Robocopy.exe"
C:\Windows\SysWOW64\ROUTE.EXE
"C:\Windows\System32\ROUTE.EXE"
C:\Windows\SysWOW64\RpcPing.exe
"C:\Windows\System32\RpcPing.exe"
C:\Windows\SysWOW64\rrinstaller.exe
"C:\Windows\System32\rrinstaller.exe"
C:\Windows\SysWOW64\runas.exe
"C:\Windows\System32\runas.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe"
C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
"C:\Windows\System32\RunLegacyCPLElevated.exe"
C:\Windows\SysWOW64\runonce.exe
"C:\Windows\System32\runonce.exe"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe"
C:\Windows\SysWOW64\sdbinst.exe
"C:\Windows\System32\sdbinst.exe"
C:\Windows\SysWOW64\sdchange.exe
"C:\Windows\System32\sdchange.exe"
C:\Windows\SysWOW64\sdiagnhost.exe
"C:\Windows\System32\sdiagnhost.exe"
C:\Windows\SysWOW64\SearchFilterHost.exe
"C:\Windows\System32\SearchFilterHost.exe"
C:\Windows\SysWOW64\SearchIndexer.exe
"C:\Windows\System32\SearchIndexer.exe"
C:\Windows\SysWOW64\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe"
C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe"
C:\Windows\SysWOW64\secinit.exe
"C:\Windows\System32\secinit.exe"
C:\Windows\SysWOW64\sethc.exe
"C:\Windows\System32\sethc.exe"
C:\Windows\SysWOW64\setup16.exe
"C:\Windows\System32\setup16.exe"
C:\Windows\SysWOW64\setupugc.exe
"C:\Windows\System32\setupugc.exe"
C:\Windows\SysWOW64\setx.exe
"C:\Windows\System32\setx.exe"
C:\Windows\SysWOW64\sfc.exe
"C:\Windows\System32\sfc.exe"
C:\Windows\SysWOW64\shrpubw.exe
"C:\Windows\System32\shrpubw.exe"
C:\Windows\SysWOW64\shutdown.exe
"C:\Windows\System32\shutdown.exe"
C:\Windows\SysWOW64\SndVol.exe
"C:\Windows\System32\SndVol.exe"
C:\Windows\SysWOW64\sort.exe
"C:\Windows\System32\sort.exe"
C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
"C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\SysWOW64\srdelayed.exe
"C:\Windows\System32\srdelayed.exe"
C:\Windows\SysWOW64\stordiag.exe
"C:\Windows\System32\stordiag.exe"
C:\Windows\SysWOW64\subst.exe
"C:\Windows\System32\subst.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\SysWOW64\sxstrace.exe
"C:\Windows\System32\sxstrace.exe"
C:\Windows\SysWOW64\SyncHost.exe
"C:\Windows\System32\SyncHost.exe"
C:\Windows\SysWOW64\systeminfo.exe
"C:\Windows\System32\systeminfo.exe"
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
"C:\Windows\System32\SystemPropertiesAdvanced.exe"
C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
"C:\Windows\System32\SystemPropertiesComputerName.exe"
C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
"C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
C:\Windows\SysWOW64\SystemPropertiesHardware.exe
"C:\Windows\System32\SystemPropertiesHardware.exe"
C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
"C:\Windows\System32\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\SystemPropertiesProtection.exe
"C:\Windows\System32\SystemPropertiesProtection.exe"
C:\Windows\SysWOW64\SystemPropertiesRemote.exe
"C:\Windows\System32\SystemPropertiesRemote.exe"
C:\Windows\SysWOW64\SystemUWPLauncher.exe
"C:\Windows\System32\SystemUWPLauncher.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\System32\systray.exe"
C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe"
C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
C:\Windows\SysWOW64\tar.exe
"C:\Windows\System32\tar.exe"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe"
C:\Windows\SysWOW64\tasklist.exe
"C:\Windows\System32\tasklist.exe"
C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" volumes
C:\Windows\SysWOW64\tcmsetup.exe
"C:\Windows\System32\tcmsetup.exe"
C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" instances
C:\Windows\SysWOW64\TCPSVCS.EXE
"C:\Windows\System32\TCPSVCS.EXE"
C:\Windows\SysWOW64\ThumbnailExtractionHost.exe
"C:\Windows\System32\ThumbnailExtractionHost.exe"
C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" filters
C:\Windows\SysWOW64\timeout.exe
"C:\Windows\System32\timeout.exe"
C:\Windows\SysWOW64\TokenBrokerCookies.exe
"C:\Windows\System32\TokenBrokerCookies.exe"
C:\Windows\SysWOW64\TpmInit.exe
"C:\Windows\System32\TpmInit.exe"
C:\Windows\SysWOW64\TpmTool.exe
"C:\Windows\System32\TpmTool.exe"
C:\Windows\SysWOW64\tracerpt.exe
"C:\Windows\System32\tracerpt.exe"
C:\Windows\SysWOW64\TRACERT.EXE
"C:\Windows\System32\TRACERT.EXE"
C:\Windows\SysWOW64\TSTheme.exe
"C:\Windows\System32\TSTheme.exe"
C:\Windows\SysWOW64\TsWpfWrp.exe
"C:\Windows\System32\TsWpfWrp.exe"
C:\Windows\SysWOW64\ttdinject.exe
"C:\Windows\System32\ttdinject.exe"
C:\Windows\SysWOW64\tttracer.exe
"C:\Windows\System32\tttracer.exe"
C:\Windows\SysWOW64\typeperf.exe
"C:\Windows\System32\typeperf.exe"
C:\Windows\SysWOW64\tzutil.exe
"C:\Windows\System32\tzutil.exe"
C:\Windows\SysWOW64\unlodctr.exe
"C:\Windows\System32\unlodctr.exe"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe"
C:\Windows\SysWOW64\upnpcont.exe
"C:\Windows\System32\upnpcont.exe"
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /REENTRANT
C:\Windows\SysWOW64\user.exe
"C:\Windows\System32\user.exe"
C:\Windows\SysWOW64\UserAccountBroker.exe
"C:\Windows\System32\UserAccountBroker.exe"
C:\Windows\SysWOW64\UserAccountControlSettings.exe
"C:\Windows\System32\UserAccountControlSettings.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}
C:\Windows\SysWOW64\userinit.exe
"C:\Windows\System32\userinit.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\Utilman.exe
"C:\Windows\System32\Utilman.exe"
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\SysWOW64\verclsid.exe
"C:\Windows\System32\verclsid.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23}
C:\Windows\SysWOW64\verifiergui.exe
"C:\Windows\System32\verifiergui.exe"
C:\Windows\SysWOW64\w32tm.exe
"C:\Windows\System32\w32tm.exe"
C:\Windows\SysWOW64\waitfor.exe
"C:\Windows\System32\waitfor.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16969664999867716704,7030683202352837557,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
C:\Windows\system32\w32tm.exe
"C:\Windows\System32\w32tm.exe"
C:\Windows\SysWOW64\wecutil.exe
"C:\Windows\System32\wecutil.exe"
C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\System32\WerFault.exe"
C:\Windows\SysWOW64\WerFaultSecure.exe
"C:\Windows\System32\WerFaultSecure.exe"
C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\System32\wermgr.exe"
C:\Windows\SysWOW64\wevtutil.exe
"C:\Windows\System32\wevtutil.exe"
C:\Windows\SysWOW64\wextract.exe
"C:\Windows\System32\wextract.exe"
C:\Windows\SysWOW64\where.exe
"C:\Windows\System32\where.exe"
C:\Windows\SysWOW64\whoami.exe
"C:\Windows\System32\whoami.exe"
C:\Windows\SysWOW64\wiaacmgr.exe
"C:\Windows\System32\wiaacmgr.exe"
C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe
"C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"
C:\Windows\SysWOW64\wiaacmgr.exe
C:\Windows\SysWOW64\wiaacmgr.exe -Embedding
C:\Windows\SysWOW64\Windows.WARP.JITService.exe
"C:\Windows\System32\Windows.WARP.JITService.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8648 -ip 8648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8648 -s 236
C:\Windows\SysWOW64\winrs.exe
"C:\Windows\System32\winrs.exe"
C:\Windows\System32\wiawow64.exe
C:\Windows\System32\wiawow64.exe -Embedding
C:\Windows\SysWOW64\winrshost.exe
"C:\Windows\System32\winrshost.exe"
C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe
"C:\Windows\System32\WinRTNetMUAHostServer.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49732 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 127.0.0.1:49740 | tcp | |
| DE | 23.55.161.211:80 | ciscobinary.openh264.org | tcp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| GB | 173.194.183.137:443 | r4---sn-aigl6ner.gvt1.com | tcp |
| GB | 173.194.183.137:443 | r4---sn-aigl6ner.gvt1.com | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.155:443 | www.bing.com | tcp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.5.17.2.in-addr.arpa | udp |
| GB | 92.123.128.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| N/A | 239.255.255.250:3702 | udp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 255.255.255.255:10004 | udp | |
| N/A | 10.127.255.255:22222 | udp | |
| N/A | 10.127.255.255:22222 | udp | |
| N/A | 10.127.255.255:3289 | udp | |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.129.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.205.23.2.in-addr.arpa | udp |
| GB | 104.78.168.184:443 | remoteassistance.support.services.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.255.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\9161e448-f207-4813-8a57-84ca73fa462d
| MD5 | 4d8c9a498f1206d9e7a7d3f50b30d2f7 |
| SHA1 | 2730aaa45fbba6e389dabb9ca8ccfbb2b8e97ffe |
| SHA256 | b2dbfe80862a03564bed7cc968743170675389d0185823a614bb13d5a0927406 |
| SHA512 | f63b7438516bc667bf3092474cd70319b8b28092a40d1ce3b5f754f2c1f2ab4fdbc0e1999d305e5448b1592307766151d3e4487c359901378d44ef63b9b6aba6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 1c2395efa4c4d3bbeee8b0995947df22 |
| SHA1 | f8a96f4d43993569076daacf5561e0b1d3ac549c |
| SHA256 | ceb86511e5f57275d27892b485808d377eb396de4499ae6b1bebc8ca89de0478 |
| SHA512 | 4b71fc4eefb3f6d24af32bb62098acf10e9f75af3ab5595b43d3a75b36bd7fbaa0fc137e52f9b489b560f2a862c4904ec738ba385108ff58ccf3864df480f057 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 8ef063c09ce1fcaa9df89ce884ca438b |
| SHA1 | c9a10fe41cf5b64ef86698e00d55b4a5c1be1fb3 |
| SHA256 | c6d869f3237aa7103e2539c99c29c03a1b6a6a7b149c2f47e840690499510ea4 |
| SHA512 | 073ee861078da4fe7091bb3ed5ee79ff8b8fb866cd0ccca8941a2e502e603df7342f186cc00bccaaf2a684b64089bbb4474d5cca37c1b340a9dbf275e372b00e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\6b6bc8cd-639a-4aed-84a8-bb1eb190f0d0
| MD5 | 1227904bd4f29748011f988b4a7b4552 |
| SHA1 | 45ef549cf32e16d8e0fc3dc766fd6de0d2b5360f |
| SHA256 | 4ec44ca6e51d9397941fe7017cbb876f183afda29535cad453dad0d5bef85f2d |
| SHA512 | d393146a9eb30e96ed8f4766740ab25f52b6085f7e1b45f4f76271540241b6d69d34a7e77ef01821ca216868e37af56593ddef25a8f14846bfb39098be10ef61 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\30ce2edc-cf62-40a1-a178-d915df9066f6
| MD5 | 90d2580fca12a4af4d541f3004962989 |
| SHA1 | 97c865948fb6f8e47dd8f216e9529967634550f2 |
| SHA256 | 081e5bb44a202557465171cce2bfa8e712e43bbc20486a51d2c6c78bae9f180f |
| SHA512 | f8978f2eb7d142079d36a82d9fb75d503246a4113b7ef6d648e2521ddc9950b80f9ef3f1e95154bebb70cd7a26a4531eddd9c8f170281b73213c78a73a4c5f23 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | a56ceec811118ab8266556c74d14bf47 |
| SHA1 | 44e666ad44934ff7375d34dc9b7e2a3f31733dff |
| SHA256 | 98a95e813d03c086aa2832c2a2724719f5097ccc41083d1c43a390db20752ffc |
| SHA512 | 17d4b8071b6d6ae7acb987c9bec36f5598434893c99e69cda504e317f35e5753566ead1bdc9237df7bf1239bd04a2f6d539c165a8bf8a91463bbdcd88f394fdd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json
| MD5 | a205c9b0f926aacc0ffbb6e5db61ca63 |
| SHA1 | a86c60df3b391f55e08111ac88e36011dd93a179 |
| SHA256 | 0bf0b9985a4eb09ef7cf97fec02a5f44efc28b2c5c1900b1582845687f0dbea5 |
| SHA512 | f5efaa86c6b69d505b213f299193ea3a10298eb277956371998af3831052f9be0b69d63afea944e25ab6afba3e4ca7d48688abb5878dde2e3fd9ba5fdbc01cc2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin
| MD5 | 5717a70c26c34f1528368556fb1c0010 |
| SHA1 | 5bd6679a0a93dd1baad51de05944b46c6de130c6 |
| SHA256 | 0d5c2ef1b91e6d9b9d02b29366023a2d12c2be4c5a0bf90da1c5b02cfce754df |
| SHA512 | 5ff3d1e92f59b1e3dbaa556cbb97d4b14d15eb8e07456557a0537799eef8134720006aea8e8748bbb95803838818223464105b4252ab8247fc510db3619d0113 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js
| MD5 | de11b9976d482a690d6f8f1b499d35e7 |
| SHA1 | 539cc677d5379c2ef979a046a6906a151362e416 |
| SHA256 | 115ee5d12bce738b79c744173cd355570015ed087a9789208162891b6b266ba8 |
| SHA512 | 7b5ca0c1d3915f238559f100b2434bf66b67020a9006e36fb1b16dec95242e002a20ccb26d989d5c6b5d7175457d004d5270e6a53411707fed3596f4aad6d19f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js
| MD5 | 72bd32c514762afdab335fd9133ec93a |
| SHA1 | f66098ee22f13c19a8a4797fdf67d70d3167ef06 |
| SHA256 | 7fe43c599e3e9c22470507e2796f209d8e8531c3968c6fab2c9521dc5ec42d14 |
| SHA512 | eccbdc2c372515fd75d76f0b2cd28e81538a630bb20f4e25cbb22ae716fcefdfe9452384ab91dc5529cc2901e8396beded99affbc4ec52af7473c6bd2981b5f4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 509a38200a49f1dde4bda5946349e190 |
| SHA1 | bb9c7e47c0c599ab3e66fca167e673ca82012f8d |
| SHA256 | 3773570833b9cc7ec0ebbe20b9a6f855955e66afd8659c01d58fd24c45b8658e |
| SHA512 | 611fc9427d368f51a49cf0305f66f9550618372ab068975226418a20b4b3a0d4bfb61f027e725862ca7cb54d7764f50ae2e8e6a8fd666fcb5238dd8625cfd9c9 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3
| MD5 | 3f3901416c07f41fd63b8e4eed090451 |
| SHA1 | a89cbcee7d2dc409e54ca4bdd2b3cfdf1d409f69 |
| SHA256 | f16f21f18be974b2d55b4a03cd47a1d6883ae977f84f89581a41814bb1eacb9f |
| SHA512 | 0d3ffea8601ffda917fbad9af7f00c7e65c1fe37aad15dd6bd65aaebe8ac441c3a55c413f336b0c015ab7f6aa8e88fc416d2a9d7d5e0ecacb3fd5f9a1a48a042 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js
| MD5 | 875ba86639f989f03fc582b435ed62d1 |
| SHA1 | 949f7c5b53269825c5e252d627fd405c011ba109 |
| SHA256 | f795d8ebf91d0587e73e57619de571da678b7e713af60cffc6b7aa5325009a96 |
| SHA512 | fea2d5fa28410fbe6cf604e8708f8b1264bb5263995b3f6c92cb63a999299cea1e01526a51d54145cacc8a287354af1a4329ffb30f2fe2dad1f0513aa0ebd82b |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37
| MD5 | 35bf371c3ded7b5f80f6c05a2c982d83 |
| SHA1 | 7e43073e8080be6cb9f943e3ade49b4feb60afaa |
| SHA256 | de7a75b3fa4f75ae23d7b942f7f21e8ec542429bcb837ca1a63a970d175ac63f |
| SHA512 | 7790bc8c9d19af117b383e3c41f407f027d19a2018a783e3211be6c6c246504698ff34ae7bbb6513e008bde0582c7bf33dc98836b4cfe3a5b18017ec0799a78e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js
| MD5 | 53f86526221ef014c8c63fb05b598c54 |
| SHA1 | 2fde583cf1cc591433804519aac0710b7a91d2aa |
| SHA256 | 505f8f65c1f549355878a95fc8b5b65daf650872e03acf7020b9d5cbe257a4aa |
| SHA512 | 308a459cd531ac44e92eb02cfdb144147e2261dd7aac18eb5ea5368071a074075c2c673b24602d809587f1f38df63cfd5cc4bbadd6e789c55cc9c2edaca7ec18 |
C:\Users\Admin\Downloads\Holzer.exe
| MD5 | c971c68b4e58ccc82802b21ae8488bc7 |
| SHA1 | 7305f3a0a0a0d489e0bcf664353289f61556de77 |
| SHA256 | cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce |
| SHA512 | ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
| MD5 | b36d469c7080e6579597b8fd8adb9d16 |
| SHA1 | f923ebfc301569ec1394065cb9483fb8b3dbe677 |
| SHA256 | d8b6c3ca2bb2ee3a1c0b7da0eb6f218d1a6bb16c3030b0a897952dae181abe89 |
| SHA512 | aa8b3c8e7a99bd12516059e967def5c703479acdfdf7b76d88262a37b357814e27ce4b123b46a7fdc872b0d9b8d96daabdb419eba01f0848c8b4d96bbf3dc425 |
C:\Users\Admin\Downloads\Holzer.exe:Zone.Identifier
| MD5 | dce5191790621b5e424478ca69c47f55 |
| SHA1 | ae356a67d337afa5933e3e679e84854deeace048 |
| SHA256 | 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8 |
| SHA512 | a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 726cd30bfd4c3a45b74dcf60f42d6416 |
| SHA1 | 221975f8ab61475189a165c4928b8bbd611d5fa5 |
| SHA256 | cee6d8f7ad3f5a982e875f46b513bd74db75c1e86751e7bf4f23f21f9a23f8e0 |
| SHA512 | e3a2110f097774fbf6b57b76e2df2891aa01ef63c5d302f451131d2ef706b067fd680bba3d9a51a33b94557cb53da302b28515c194c5fd5e64d91639334213e4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMD5BAJCGYLPV1WGKGT0.temp
| MD5 | 11778686476d3c860cd944345d7046d3 |
| SHA1 | 51c66aee3b9294feecf0375dc70d15bde2f1bd29 |
| SHA256 | f550b216d09bfc33fa56186a92036be8fe771fefd1e2a8feb4fb710602f9b5c2 |
| SHA512 | fcc95b9c8850e6c1412856bbd9c9ec29e7a60997ff31b85211ea48719f1cf730151c801b7b2b034cacd5d887903b30e5bda41f9163e9ab3fab67045021d5e934 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | f474b50d79c114854d3b551a123d0822 |
| SHA1 | ca4d4c70ddcd087324d48d8f0a3fd47cb998adc6 |
| SHA256 | bd0f53a93f4193ffa245d8a8d6d8c9bb3a8ae81a5a56343c33d134e4ce32afdf |
| SHA512 | 7de38ddad7a908bf78b3a0b3a5b78fd23316a21f8f17e9c86882f2d109b78ebe70b4d2018b7bee08c62a2e785fa7ef6af735731f4b488762078a2e253b69b543 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
| MD5 | 4af193b60820d64144b9cf3bae4a1c6a |
| SHA1 | daed69f0ceb1b20049f0d0604fd7ca64dbccab37 |
| SHA256 | ea00cd7dc22e2cd8448d9bc3388fbddb88f098e5237e7421a4a94c4f5f89b7f4 |
| SHA512 | fde2fbe419f4c691de235f774f474be855d08f1ed6b386d63f79ba2c5c4b8ea2e8308ab51637a326830b8baca2df60abd87dd752f04309ae3278b3ffb977235e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | bed12a9a5311fd5a2cda9cac8fe5ce2c |
| SHA1 | 5c292f0b1c50b71927ba6de4cfd8d8c24ceb3d2c |
| SHA256 | ccc9600c691dfa5c3bfa1f86b4ef214a4a56efc3710854e8bf8d329dcb96427d |
| SHA512 | 5945f3227f032e58fab9df5361df4614d041cb0492e157bde9c5b735474d24b76a3ee0fe8853aa9df491d63f38b3564bffbc43eee0026ac142a4fe339709389e |
C:\Windows\Logs\DISM\dism.log
| MD5 | c7554053ebc553f2b79eb4fe44772786 |
| SHA1 | c844315961ad937c030e49ceb38ff36ac8455f63 |
| SHA256 | 00dee8e57ef535822cb0e6f26e90cd625ff788fa8433660ce84d16992dfb159d |
| SHA512 | ab8a4fb2d5237b5400efb55100438437a939a8a9d729579b129add3eb1b5632b9957a331b7bca1c5eabac3b2dfa79b31a527396283ae4e20b7c8fc8e1975467d |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | d0fd2204de0ac29061e7314ee45b0bfa |
| SHA1 | 471ff9a39c0a4fc814844153bf4a368eec952433 |
| SHA256 | 2143b38a332f1498bd717bf10e22390cb6f8e1d90a6e89a8b555fa6d1198df66 |
| SHA512 | 1bf4e2b85ade5bad92ba1e467469059bb0001870adca11f065edf52ea4cd7cae02e578b21d184d9f3965a6ad619cc7e1c65110a37d204573d0dff79d20c63141 |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | d907ae181b4304fd35b69481c8d49ab8 |
| SHA1 | 2fd13fcd8aaa3790d8617fc9aca5158616a83f71 |
| SHA256 | 4d746ffaba7dedb97a18fe0d17287b5363e4b13d7d108f3f3a7c95bfdbb16cdc |
| SHA512 | 4e0df72f934769a24351dd8b8da615b0abf6f7b115217d16188d9b344b2a4594ca4d7997893310ebb7c04d39a9060e69f668ad1176c6e1142efebfa4f459a90a |
memory/8092-4072-0x0000000001830000-0x0000000001840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 058032c530b52781582253cb245aa731 |
| SHA1 | 7ca26280e1bfefe40e53e64345a0d795b5303fab |
| SHA256 | 1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e |
| SHA512 | 77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f |
\??\pipe\LOCAL\crashpad_5788_SQMUOBYEKMMQKBVV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8276eab0f8f0c0bb325b5b8c329f64f |
| SHA1 | 8ce681e4056936ca8ccd6f487e7cd7cccbae538b |
| SHA256 | 847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da |
| SHA512 | 42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d359fc87a72a204ef3e8d2c653151960 |
| SHA1 | 9a72efe7dd852b8d38d310efcfc10cbc5e991be9 |
| SHA256 | 3ee0068f52bbc41670faea1863b844d6e8947bddbcc18f11ad0e329e66ad1664 |
| SHA512 | 7e6b9050fcc3587e930426c95aca4467e986570f8c0a878f035d51a85d1d88dd75b6890d2ba4bb5880bcde1a7736b16bd07ba1430b928c39a67838e56d982d1c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b488ebdfe805dde8d86d842a1bbab9a3 |
| SHA1 | aee05ac83be6599c32adb35114b2f71f5681b702 |
| SHA256 | 14002e3249721af094c1d6785abc9bec7c0213d23de79aef8378a6b3cf6eadcc |
| SHA512 | 1bf13216ae18cd09c5479443e87300fe4989eb09197095874e7b11751769bb47565a2e24492a5686f9696a23c32088ea404ead486a0b45817d09eaa608a86aef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 25917f3d8e5b0107657d275b89f13466 |
| SHA1 | 82d42c8e9d39042645674eabd45f8d1a254872b3 |
| SHA256 | 5f3b369697453e0a22c5c3ddd803704b1cdfaa4dc9e69e7776097e8a80819221 |
| SHA512 | 27744448b220696b8439b420d34d1db5199e1b344692baf6411f39cc7655e924a296ac2d0a592186d3f533324274d6e8e78386d2fa79f7e79fc32ed583f20b84 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | bcd5c1967ff6eaa2b832450e97ee187d |
| SHA1 | bf1598a43c08eae84944a4eca01461d916585178 |
| SHA256 | a9d541857747db3fa4e29da5ada66fa122712ec921b09c3d438310d4edafcc33 |
| SHA512 | 55b4832ab1537b53597dfb7d0ba5cfddecb6c08f21e8d4bd36f1195eebf736a48e704b89f8058de5a2e070680291d598e762aa2b1c1f748604791d704da83491 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 08d03e4294be07ea68e2c2f28b9d1ab3 |
| SHA1 | 1fc001db3052634a1198c993c2e8f0359ccfa101 |
| SHA256 | d445c96bf5c1be65479218250c9dc07cec2c548fec7a505aa6fa105a0137beb9 |
| SHA512 | 2827ebdbb66238a601c4153c1ab9adb37846594c864390a2130283b19eccd999c43cccc3076007440197fcdda08e81f5f02e872790d6c350bc658a623906ae0c |
C:\Windows\Panther\UnattendGC\setuperr.log
| MD5 | d44c332a7da66068f6941be84996c2c0 |
| SHA1 | eebe55f8355ded1c35f3bff0fa7710c6d073be75 |
| SHA256 | 954ccb999511cbb927bbd482cce6c3ff51867c3b522380492ce6c4b8bd3d5dbc |
| SHA512 | 65bf3df0464645a0e0f009449f245183e388ed1e58bd2746f27a35f24d13a336a1ab1942c785024ea643ed520553764370c9a24b2c66e792eeeef9335c272b57 |
C:\Windows\Panther\UnattendGC\setupact.log
| MD5 | 8a3ad031c995291557dd1ec19f4c58ef |
| SHA1 | 95e472181b4ee94052355368bb65a3e720fc21d6 |
| SHA256 | 5557e196aba7bf493c47ac90b9def00c7c0c1b79e056a1359c3c9a6f37b1aa96 |
| SHA512 | 1b3cf4b6d2ab669ce8c4542997dd5f665eff48416b536b052d20af7a3d70b16c4ff6f36725062431e08669653173c77fe04b6ed2e5ac6189ac8accab61bb5e54 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | 4d964f2e0c70b80c1c7d6e1fbcc142fd |
| SHA1 | c17fd43d42ab97cfde53de1a484656cf429b92e5 |
| SHA256 | 2db680527bf1e34273afcfd69c8c724ba3804963d4d1f14ff54beaa9c7ed1550 |
| SHA512 | af3549c44790098380774e85a30ce238df3236a580fecfa496d49b21e5a62062ccfe93bbeac6621ea45f1be77fe5c19e4966df81416912d1242e8e9ac4b3f8c5 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 10d06f3a7b012d14ca7c371afdbe663c |
| SHA1 | c28bebd616fd89a001761ef038c770983d98f440 |
| SHA256 | d48b332ef1852f71af824be420bea0e26193d8a033f61bb82d62aa23b9264f74 |
| SHA512 | 19185d834f508cc26f2713969f1cab897bce113f041c2bd571d310bdee5fffa9807fbc4c273834c9cd8f23f509a7efdc7921310a1344d98180d3a71ba61b86e9 |
C:\Windows\Panther\UnattendGC\setuperr.log
| MD5 | dc673355054bd623676bad5bc5c63bb5 |
| SHA1 | 0c2905cc621b15e6ca19a4d111f8488722c9bef0 |
| SHA256 | b83bb641cab1da368a7e4bdfa686863a02d3001bca26a6d3f6d219914396664d |
| SHA512 | 3fe645bcd88329f90aaf2aee33c170e6eaf874398c4392b7a2036cad07ba5f1c647cf8449e8d64cdfd0a30cdeff2ce3c9998a2a8ca00c981d3f46f8df152f53a |
C:\Windows\Panther\UnattendGC\setupact.log
| MD5 | 5e81a68e52a85a197c09696f1aa3c177 |
| SHA1 | bd2e61a7fcac6b8aa666cf86cd0a4f9bcd3edf65 |
| SHA256 | 0fecc27d5b2884817cfb6a12d8b394ae437a54e95a3f5886f45f0a16859f6539 |
| SHA512 | 7d88b6f0a5e6e63990cf7057c156e5b9e14fc735204c22c6e8a470053f2d861673506223a2f2541f2a929067ba2cb97cd3da92b77f94b828338877612042c416 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 1d3b3c8bba52670f34af7d31d8123dba |
| SHA1 | e972ad4c494a079a22ef9e6d4db491335a685321 |
| SHA256 | 15a76b2ef1b8f46a8dae7708a235f2e424370808fe69ba7c225e9ec0f148a69b |
| SHA512 | c591fdda56df1f7b3204b8ca7f1d4fc1158360507c1b1b9257df0af15805d0a8a28495b6588f30ec2fb779572192405d7bcde6934ab30b2ece138e62cf288520 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | c6e599ece2c3da2e60d2dd72295992dc |
| SHA1 | 6791db33239eb1bf0921a82a546b984e9edd3bb7 |
| SHA256 | 9539627cd25de23087bfc2ba07e76838a5fc5f61081ed283cea7f9df1f325aca |
| SHA512 | 63605d4eeaeba8e281eb32597589c9d525e22c2bbf99304cd1051273f2f4f4c61c1288f1886e7c4a0fa75805e89f0b822bdaeb761deaeb76f526698d4bbdf9b2 |
C:\Windows\Panther\UnattendGC\setuperr.log
| MD5 | 8f19be5579a58cb64cdfde341afea614 |
| SHA1 | 3086f678bec673eec4df01bffd837f143cc23806 |
| SHA256 | 70cdcf73413663e0129c1943c5f4e0f0b4a5d575d0fff88e9120351326b1e3b0 |
| SHA512 | 8e4fc8b75a48cd47583c57c3d72ac5663d3e80b458334ff69e86123566d6abe134534bc294b0dd017b13509aa46091d64395c9bfcb7336a1c38bd0c72d1d2ad3 |
C:\Windows\Panther\UnattendGC\setupact.log
| MD5 | ab6e4712a0ff291915e23640bd5cbe6b |
| SHA1 | df6d1443fa18b85fdd37b281fd809b7ce94cfc97 |
| SHA256 | 37bdffdc9c9a2cf86730e66795a2f4e9903d60f549adf09ccae0a4e927b4d386 |
| SHA512 | 7025eb8259b22612b78d5a18b9c1daa393854f1f888f5f902232e43036b0074295eac157f3cb7e66af99482f0f49b87d1c6f08659314e97c8f7b045fbba1a1cd |
memory/10320-4185-0x0000000035FB0000-0x0000000035FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | 52c9473193b9bddc1572ae9277c16a01 |
| SHA1 | a8a83b1fc37e4cbe1f68b104fb1c1b0f00f8927e |
| SHA256 | 3bc4df39d8cd1ae6d79bfcc522bc8cab561908cc8bb107bfed35e1128e0329e0 |
| SHA512 | b2e5361592912f9f223000c9846c59ebc25cee95449ecf776dc89d52dc06d03a130665ac622f779ae617fc2963158dbc97ec0843b73e477e94bfe03d705bff1d |
memory/11148-4261-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/11148-4260-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/11148-4259-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/8340-4264-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/8340-4263-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/8340-4262-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/11148-4265-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/9444-4269-0x0000000001240000-0x0000000001250000-memory.dmp
memory/11148-4274-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/11148-4273-0x00000000012C0000-0x00000000012D0000-memory.dmp
memory/9444-4267-0x0000000001240000-0x0000000001250000-memory.dmp
memory/9444-4266-0x0000000001240000-0x0000000001250000-memory.dmp
memory/6012-4278-0x0000000000850000-0x0000000000860000-memory.dmp
C:\Users\Admin\AppData\Local\Resmon.ResmonCfg
| MD5 | 407aab8c27cf7081eece071c90a65b83 |
| SHA1 | d9ec9f9d3768fb1c3646284d77f519f74ee6b8cc |
| SHA256 | 568269850dbb3f5f52e0e38e3c0b29be06c70c58fe425b39746f5ccefdd668a4 |
| SHA512 | 88a35933e87dbdd298577bdb33afb1f878dc68f43e7916c4102e893fe04812a9522ed66755df03105fd199fdc3c6bd197051c22b2ea2765d0adba5c375ddd35c |
memory/8340-4281-0x00000000012A0000-0x00000000012B0000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9a6fad9913a30e0476c200ab13f96c2c_99ef8723-b5cb-4d6a-b7a3-7e98e5e6f2a8
| MD5 | 666ea65934b820274adc4c5c344bff32 |
| SHA1 | d23a25d65fa435eb01c6de837656a8d61a58620f |
| SHA256 | 4d0d8cbc6fb59c8e081349f09f3f82e65540b64b50969e4cea5948624fbec604 |
| SHA512 | bb2eed9cf9b508711acb566f180cd329e4b0c7de7acb9a614e25d866b683f6e297675c025dc3910176816202aaf12749411112dc42059fbf5f15fa8929accc37 |
memory/6012-4276-0x0000000000850000-0x0000000000860000-memory.dmp
memory/6012-4275-0x0000000000850000-0x0000000000860000-memory.dmp
memory/8340-4287-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/8340-4286-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/9444-4289-0x0000000001240000-0x0000000001250000-memory.dmp
memory/9444-4293-0x0000000001240000-0x0000000001250000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine-2048.drm
| MD5 | 2600ec4ed8d7b523bb33b773b31a7320 |
| SHA1 | 6df88ebeeea513802690d610328fbf41c3bda227 |
| SHA256 | d0cdc3c4ee6015cf64d602c297ff2fd779a5b9ad50d00e99cf73f87ad45fa53c |
| SHA512 | 081ee419a5486f4fe609d2d3f6c3f335294fd34aa6b67b75b398023b7e7e07ac1a3222e2c4ab03a245206705116cc8a8af6c5ce1212d759600db2457ce7d30f0 |
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm
| MD5 | 730e9e6b157b3fc400acda6e2c5a442f |
| SHA1 | 49d86eb71df09098f4a72aea3169c3901aa09f37 |
| SHA256 | b3566ee1acd85594e5e46ba431a53aec10027474ca0482848a2d1c58c8b3dc34 |
| SHA512 | 2634bf858f5885787506bd75b29faef99b219ea9ae883777475e73bee14fbabee28a771e359e2bf748a0f9fa41d2f252a3778b0bfa8173e1a78eba52e3fdf5de |
memory/6012-4296-0x0000000000850000-0x0000000000860000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9a6fad9913a30e0476c200ab13f96c2c_99ef8723-b5cb-4d6a-b7a3-7e98e5e6f2a8
| MD5 | de9c37ebc68009a25fd9c68a3be80d43 |
| SHA1 | ec0e281208599e01f94b4e9c9ed5bfbd8bd59990 |
| SHA256 | 14b3f481d35450e9638e0777f39a041a0e6c372c1f0d1a4c0ac5668c67deebe8 |
| SHA512 | 999098db86ab487a83300fc14f96b93de6d5264b53d92eeaff207b7379162a26f0789938b60fb58b34405411db08df10acf40f5eee97ff3fcf8020a2c1de3a5f |
memory/6012-4301-0x0000000000850000-0x0000000000860000-memory.dmp
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-970747758-134341002-3585657277-1000\CERT-Machine-2048.drm
| MD5 | 0a4d68adf3f5f4f034f196486623a15d |
| SHA1 | c8b72ffb8e686db3eb8eb194484748f5836780ec |
| SHA256 | dfc1a228efa1909380bc6a6ba4d6d9d0c252b3fa42be0c74ce744cfcb833e064 |
| SHA512 | e63980a65c779a442aa54e451e6d8c64ec1a9685a0f872c931a027ee13cd77db954109167a1c3c6e28e565e67e8fd1644d31b2a1e892fa421ee510402704dfb9 |
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-970747758-134341002-3585657277-1000\CERT-Machine.drm
| MD5 | d6a0117695b6b9ca261a2cf718412ae3 |
| SHA1 | 4134bb84ef4e38c206ee45e50e6315239c0bb9df |
| SHA256 | 629f69a8474084f169a9883b1a7842d3859f4dc99711297fc2988bb3c393ed4f |
| SHA512 | 9159cc0bd9e9b04c4afd37bde683612bcaf41d8dc81e5aa68b4a13d558f65d25ed110ddca4a3acda1896e8a1fe5add3b7d68bc86931b9b6a57b5aecbfbbe49e5 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | 6f492608545e3aac52ef76e81d5dd0d3 |
| SHA1 | b59f35e5d96a9a6a6b78337acc1cbce260e60939 |
| SHA256 | 96401e6b9f02bb5891cffa6bbee2d78732f3743fb187415102b4391e516cc0c4 |
| SHA512 | 948dd731a8b950781ec4e24d73f987b0d22847b2d8ca4a72614f5442a64a0812cfcfe07c73769149144d6ca53d7ed5e588274439e1d4490f4cc096a4bb351297 |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | 9838ae470f16cf76477234b3596e3136 |
| SHA1 | f0e2d48fd8a2eacb0839c34f061e5c611fa4f215 |
| SHA256 | 778545782dbaa0169e9c4eb235a4091ca2610ad5593b49c831e5fb3c7715237d |
| SHA512 | 1c478ffac18e4cddc45707ff493a7145e4c635ae41da99aab4e8242c5e8b350ca9b3e5eb0bc3452ec3efef23ae7ea6940a8d27b431f2466c99f19048df6a3c77 |
C:\Windows\Panther\UnattendGC\setupact.log
| MD5 | 60901598d0a3d5e163ab9c096d0c3794 |
| SHA1 | 7ffce292486096993a528f167c949c74f4602b7a |
| SHA256 | 4f0eb3af36143d9674412a8f87b71959e28bf0e9077467c4e1857676e7d7decc |
| SHA512 | 64e320a84d7706d787210ebb0a41b6ecf854c866bd573b8948e4d24b7770a5069ea36ea6411fede60ec7838c2c8650bd1e990bce7b1a4aff51cfc1987b37c4a0 |
C:\Windows\Panther\UnattendGC\setuperr.log
| MD5 | 6680d421d537c226f704ab93a78c7594 |
| SHA1 | c4614c2cb5b24c454b6537122bfe8144ce756e2f |
| SHA256 | d751fa458efff1d76404f8a01d34601f8a8afd064bd0d6bfbcbec8fc831c2f19 |
| SHA512 | 537a5c1df833a1c23a4b25726a8c99cbd170259d6d83716cf3c552caab41c6481daff655c4a9803d3fe93fcf92b41c7a6effcfbc4c3a4ce21ca7c0c7d5f9e68c |
memory/6552-4323-0x00000202B8690000-0x00000202B86B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpc4d2rx.qvc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6552-4332-0x00000202D2CA0000-0x00000202D2CC2000-memory.dmp
memory/6552-4352-0x00000202D3020000-0x00000202D302A000-memory.dmp
memory/6552-4355-0x00000202D32C0000-0x00000202D32E4000-memory.dmp
memory/6552-4354-0x00000202D32C0000-0x00000202D32EA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 80ad795b95657dad8598f79e5dec28bc |
| SHA1 | 6709737c0c7d14ae89b586c2142e0213e64c87c3 |
| SHA256 | 35d3fd1d5f22ce3e671251a10d23a23d0858b18d1967b29f7d9f4249d6cd649d |
| SHA512 | 44744d03a371691b916339f798a2603e2b43ebbc8c1d6bd2f72f867e5e5959a38844a7d4ef3f976c9537e5d5a310e66a1d8d7da2e220bff5fc18b5ee75ea190b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\jumpListCache\5_EUibGBtE1cWaOjHYogj0xa0h2u9gU0PvprH9KF0J0=.ico
| MD5 | 6b120367fa9e50d6f91f30601ee58bb3 |
| SHA1 | 9a32726e2496f78ef54f91954836b31b9a0faa50 |
| SHA256 | 92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0 |
| SHA512 | c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | ab1dac5515bf0a05daf86ee858dc074d |
| SHA1 | 4ed9a5502533419df4284122cd663c269b1ae874 |
| SHA256 | 51b9f182f48639cd9db8eb63d447842a932223f2ff9227f24aa60b4893bcf8b2 |
| SHA512 | 657398763990d1d347cb22772cd3f680bf4089fdbdf16c220ffb88bc1e38936fee9a2198ea9154719a1a86d2a45f373b492e75d48f16209b557dcb8a523ee771 |
memory/5392-4378-0x000000001C080000-0x000000001C0DA000-memory.dmp
memory/5392-4379-0x000000001C920000-0x000000001CE2E000-memory.dmp
memory/5392-4382-0x000000001D2A0000-0x000000001D674000-memory.dmp
memory/5392-4381-0x000000001CE30000-0x000000001CEB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 4f24c5ff55d3b042ff310bc9b3587c2a |
| SHA1 | 89656d51dc7ab9be2d6a318c9f56109e3e2e6dda |
| SHA256 | b8401d2b0e9b8f5f6ecb53c7d9b0496345de1120508e136a98fdfedb08cd4e08 |
| SHA512 | 214927dbe5e002451c6a62133bcdd7439502e060b596bb2516518b0d8e1b80327e07fbaa84afa3cc7fe7a2bfd5457a3122d2558159a2ae30ea77cd8d860e9421 |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 3d4e2f511bb1a60edb3802e0a976f804 |
| SHA1 | 7d271e0a5d8237345612e4dbbf48e113c2fe5eee |
| SHA256 | b51a3af1f4b6b37b3f2caab11380671387187157e54c80d5990b18e806a677c3 |
| SHA512 | ee5d2cf3369d5bca083823b5bc6fb1b9a042b285d298d0019808fd4f057e7a3d5de082a63fea0f8adc8e74c407e500bc9470dd699dcf4e9895d29c410e3f0d81 |
memory/32-4389-0x00000000006D0000-0x00000000006E1000-memory.dmp
memory/5796-4415-0x00007FFBB3130000-0x00007FFBB34A4000-memory.dmp
memory/5796-4416-0x00007FFBB37E0000-0x00007FFBB387D000-memory.dmp
memory/5796-4414-0x00007FFBB4020000-0x00007FFBB40DD000-memory.dmp
memory/5796-4399-0x00007FF75D6B0000-0x00007FF75DB74000-memory.dmp
memory/5796-4413-0x00007FFBB5C40000-0x00007FFBB5E49000-memory.dmp
memory/32-4409-0x0000000075B10000-0x0000000075BEF000-memory.dmp